```html
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Spring Boot 安全防护全指南 | 技术小馆</title>
    <link rel="stylesheet" href="https://cdn.staticfile.org/font-awesome/6.4.0/css/all.min.css">
    <link rel="stylesheet" href="https://cdn.staticfile.org/tailwindcss/2.2.19/tailwind.min.css">
    <link href="https://fonts.googleapis.com/css2?family=Noto+Serif+SC:wght@400;500;600;700&family=Noto+Sans+SC:wght@300;400;500;700&display=swap" rel="stylesheet">
    <script src="https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.min.js"></script>
    <style>
        body {
            font-family: 'Noto Sans SC', 'Noto Serif SC', Tahoma, Arial, Roboto, "Droid Sans", "Helvetica Neue", "Droid Sans Fallback", "Heiti SC", "Hiragino Sans GB", Simsun, sans-serif;
            color: #333;
            line-height: 1.6;
        }
        .hero-gradient {
            background: linear-gradient(135deg, #6e48aa 0%, #9d50bb 100%);
        }
        .code-block {
            background-color: #2d2d2d;
            color: #f8f8f2;
            border-radius: 6px;
            overflow-x: auto;
        }
        .vulnerability-card:hover {
            transform: translateY(-5px);
            box-shadow: 0 10px 25px rgba(0, 0, 0, 0.1);
        }
        .solution-tag {
            background-color: #48bb78;
            animation: pulse 2s infinite;
        }
        @keyframes pulse {
            0% { opacity: 0.8; }
            50% { opacity: 1; }
            100% { opacity: 0.8; }
        }
        .dropdown-content {
            max-height: 0;
            overflow: hidden;
            transition: max-height 0.3s ease-out;
        }
        .dropdown:hover .dropdown-content {
            max-height: 1000px;
        }
        .first-letter {
            font-size: 3.5em;
            line-height: 0.8;
            float: left;
            margin-right: 0.1em;
            font-weight: 700;
            color: #6e48aa;
        }
    </style>
</head>
<body class="bg-gray-50">
    <!-- Hero Section -->
    <section class="hero-gradient text-white py-20 px-4 md:px-0">
        <div class="container mx-auto max-w-5xl">
            <div class="flex flex-col md:flex-row items-center">
                <div class="md:w-1/2 mb-10 md:mb-0">
                    <h1 class="text-4xl md:text-5xl font-bold mb-4">Spring Boot 安全防护全指南</h1>
                    <p class="text-xl mb-6 opacity-90">告别"裸奔"开发，构建坚不可摧的Java应用</p>
                    <p class="text-lg mb-8 opacity-85">Spring Boot 是目前最流行的 Java 开发框架，极大简化了 Web 开发。然而，很多程序员在开发 Spring Boot 项目时，<span class="font-bold underline">安全问题往往被忽略</span>，导致应用程序像"裸奔"一样暴露在风险之中！</p>
                    <div class="flex space-x-4">
                        <a href="#vulnerabilities" class="bg-white text-purple-700 hover:bg-gray-100 px-6 py-3 rounded-lg font-semibold transition duration-300">查看漏洞</a>
                        <a href="#solutions" class="border border-white text-white hover:bg-white hover:text-purple-700 px-6 py-3 rounded-lg font-semibold transition duration-300">最佳实践</a>
                    </div>
                </div>
                <div class="md:w-1/2 flex justify-center">
                    <img src="https://cdn.nlark.com/yuque/0/2025/png/21449790/1742806954343-872710b7-09b5-49af-a183-7f735395b740.png" alt="Spring Boot Security" class="rounded-lg shadow-2xl max-w-full h-auto">
                </div>
            </div>
        </div>
    </section>

    <!-- Intro Section -->
    <section id="intro" class="py-16 px-4 md:px-0 bg-white">
        <div class="container mx-auto max-w-5xl">
            <div class="mb-12">
                <h2 class="text-3xl font-bold mb-6 text-center text-gray-800">你的 Spring Boot 应用安全吗？</h2>
                <p class="text-xl text-gray-700 text-center mb-8">你是否觉得自己写的 Spring Boot 代码足够安全？<span class="font-bold text-red-500">如果你没做这些安全防护，黑客可能已经在你的网站里逛了一圈！</span></p>
                
                <div class="relative bg-yellow-50 border-l-4 border-yellow-400 p-6 mb-10 rounded-r-lg">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 text-yellow-500">
                            <i class="fas fa-exclamation-triangle text-xl"></i>
                        </div>
                        <div class="ml-3">
                            <h3 class="text-lg font-medium text-yellow-800">常见的 Spring Boot 安全漏洞包括：</h3>
                            <div class="mt-2 grid grid-cols-1 md:grid-cols-2 gap-3">
                                <div class="flex items-start">
                                    <span class="text-green-500 mr-2"><i class="fas fa-check-circle"></i></span>
                                    <span class="text-gray-700"><strong>SQL 注入</strong> —— 数据库直接被拖库</span>
                                </div>
                                <div class="flex items-start">
                                    <span class="text-green-500 mr-2"><i class="fas fa-check-circle"></i></span>
                                    <span class="text-gray-700"><strong>路径遍历</strong> —— 黑客可以访问服务器上的任意文件</span>
                                </div>
                                <div class="flex items-start">
                                    <span class="text-green-500 mr-2"><i class="fas fa-check-circle"></i></span>
                                    <span class="text-gray-700"><strong>CORS 配置错误</strong> —— 导致恶意网站可以窃取你的 API 数据</span>
                                </div>
                                <div class="flex items-start">
                                    <span class="text-green-500 mr-2"><i class="fas fa-check-circle"></i></span>
                                    <span class="text-gray-700"><strong>不安全的 Actuator 端点</strong> —— 服务器配置、环境变量暴露无遗</span>
                                </div>
                                <div class="flex items-start">
                                    <span class="text-green-500 mr-2"><i class="fas fa-check-circle"></i></span>
                                    <span class="text-gray-700"><strong>JWT Token 处理不当</strong> —— 用户身份随意伪造</span>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>

                <div class="text-center">
                    <p class="text-xl text-gray-700 mb-4">接下来，我们逐一剖析这 15 大漏洞，并提供最佳的解决方案！</p>
                    <a href="#vulnerabilities" class="inline-flex items-center text-purple-700 font-semibold hover:text-purple-900 transition duration-200">
                        查看详细分析
                        <i class="fas fa-arrow-down ml-2"></i>
                    </a>
                </div>
            </div>
        </div>
    </section>

    <!-- Vulnerabilities Section -->
    <section id="vulnerabilities" class="py-16 px-4 md:px-0 bg-gray-50">
        <div class="container mx-auto max-w-5xl">
            <h2 class="text-3xl font-bold mb-12 text-center text-gray-800">Spring Boot 最致命的 15 个漏洞及解决方案</h2>
            
            <div class="space-y-12">
                <!-- Vulnerability 1 -->
                <div class="vulnerability-card bg-white rounded-xl shadow-md overflow-hidden transition duration-300">
                    <div class="dropdown cursor-pointer">
                        <div class="p-6 md:p-8">
                            <div class="flex justify-between items-start">
                                <div>
                                    <div class="flex items-center mb-2">
                                        <span class="bg-red-100 text-red-800 text-xs font-semibold mr-2 px-2.5 py-0.5 rounded">高危漏洞</span>
                                        <span class="solution-tag text-white text-xs font-semibold px-2.5 py-0.5 rounded ml-2">有解决方案</span>
                                    </div>
                                    <h3 class="text-2xl font-bold text-gray-800">1. SQL 注入漏洞（SQL Injection）</h3>
                                </div>
                                <i class="fas fa-chevron-down text-gray-400 text-xl"></i>
                            </div>
                        </div>
                        <div class="dropdown-content">
                            <div class="px-6 md:px-8 pb-6 md:pb-8">
                                <div class="mb-6">
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3">漏洞描述</h4>
                                    <p class="text-gray-700">如果你的 SQL 语句是拼接字符串的形式，比如：</p>
                                    <div class="code-block p-4 my-4 rounded-lg">
                                        <pre><code class="language-java">String sql = "SELECT * FROM users WHERE username = '" + username + "'";</code></pre>
                                    </div>
                                    <p class="text-gray-700">黑客可以输入 <code class="bg-gray-100 px-1 py-0.5 rounded">admin' OR '1'='1</code>，绕过登录验证，甚至直接删除数据库表！</p>
                                </div>
                                <div>
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3 flex items-center">
                                        <span class="w-6 h-6 bg-green-500 text-white rounded-full flex items-center justify-center mr-2">
                                            <i class="fas fa-check text-xs"></i>
                                        </span>
                                        解决方案
                                    </h4>
                                    <p class="text-gray-700 mb-4 font-semibold">使用 JPA 或 MyBatis 的参数化查询</p>
                                    <div class="code-block p-4 my-4 rounded-lg">
                                        <pre><code class="language-java">@Query("SELECT u FROM User u WHERE u.username = :username")
User findByUsername(@Param("username") String username);</code></pre>
                                    </div>
                                    <div class="bg-blue-50 border-l-4 border-blue-400 p-4 mt-4 rounded-r-lg">
                                        <div class="flex">
                                            <div class="flex-shrink-0 text-blue-400">
                                                <i class="fas fa-lightbulb"></i>
                                            </div>
                                            <div class="ml-3">
                                                <p class="text-sm text-blue-700">
                                                    <strong>专业建议：</strong> 除了参数化查询，还应该使用ORM框架提供的安全查询方法，避免直接编写原生SQL。
                                                </p>
                                            </div>
                                        </div>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>

                <!-- Vulnerability 2 -->
                <div class="vulnerability-card bg-white rounded-xl shadow-md overflow-hidden transition duration-300">
                    <div class="dropdown cursor-pointer">
                        <div class="p-6 md:p-8">
                            <div class="flex justify-between items-start">
                                <div>
                                    <div class="flex items-center mb-2">
                                        <span class="bg-red-100 text-red-800 text-xs font-semibold mr-2 px-2.5 py-0.5 rounded">高危漏洞</span>
                                        <span class="solution-tag text-white text-xs font-semibold px-2.5 py-0.5 rounded ml-2">有解决方案</span>
                                    </div>
                                    <h3 class="text-2xl font-bold text-gray-800">2. XSS（跨站脚本攻击）</h3>
                                </div>
                                <i class="fas fa-chevron-down text-gray-400 text-xl"></i>
                            </div>
                        </div>
                        <div class="dropdown-content">
                            <div class="px-6 md:px-8 pb-6 md:pb-8">
                                <div class="mb-6">
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3">漏洞描述</h4>
                                    <p class="text-gray-700">如果用户输入的 HTML 代码没有被正确处理，攻击者可以插入恶意脚本，比如 <code class="bg-gray-100 px-1 py-0.5 rounded">&lt;script&gt;alert('你被黑了')&lt;/script&gt;</code>。</p>
                                </div>
                                <div>
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3 flex items-center">
                                        <span class="w-6 h-6 bg-green-500 text-white rounded-full flex items-center justify-center mr-2">
                                            <i class="fas fa-check text-xs"></i>
                                        </span>
                                        解决方案
                                    </h4>
                                    <p class="text-gray-700 mb-4 font-semibold">使用 Spring Security 自带的 XSS 过滤器</p>
                                    <div class="code-block p-4 my-4 rounded-lg">
                                        <pre><code class="language-xml">&lt;dependency&gt;
    &lt;groupId&gt;org.owasp.encoder&lt;/groupId&gt;
    &lt;artifactId&gt;encoder&lt;/artifactId&gt;
    &lt;version&gt;1.2&lt;/version&gt;
&lt;/dependency&gt;</code></pre>
                                    </div>
                                    <p class="text-gray-700">然后在代码中使用：</p>
                                    <div class="code-block p-4 my-4 rounded-lg">
                                        <pre><code class="language-java">String safeInput = Encode.forHtml(userInput);</code></pre>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>

                <!-- Vulnerability 3 -->
                <div class="vulnerability-card bg-white rounded-xl shadow-md overflow-hidden transition duration-300">
                    <div class="dropdown cursor-pointer">
                        <div class="p-6 md:p-8">
                            <div class="flex justify-between items-start">
                                <div>
                                    <div class="flex items-center mb-2">
                                        <span class="bg-orange-100 text-orange-800 text-xs font-semibold mr-2 px-2.5 py-0.5 rounded">中危漏洞</span>
                                        <span class="solution-tag text-white text-xs font-semibold px-2.5 py-0.5 rounded ml-2">有解决方案</span>
                                    </div>
                                    <h3 class="text-2xl font-bold text-gray-800">3. CORS 配置不当，任意网站能访问你的 API</h3>
                                </div>
                                <i class="fas fa-chevron-down text-gray-400 text-xl"></i>
                            </div>
                        </div>
                        <div class="dropdown-content">
                            <div class="px-6 md:px-8 pb-6 md:pb-8">
                                <div class="mb-6">
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3">漏洞描述</h4>
                                    <p class="text-gray-700">如果你的 API 没有正确配置 CORS，任何网站都可以通过 JavaScript 访问你的数据！</p>
                                </div>
                                <div>
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3 flex items-center">
                                        <span class="w-6 h-6 bg-green-500 text-white rounded-full flex items-center justify-center mr-2">
                                            <i class="fas fa-check text-xs"></i>
                                        </span>
                                        解决方案
                                    </h4>
                                    <p class="text-gray-700 mb-4 font-semibold">配置 CORS 只允许特定域名访问</p>
                                    <div class="code-block p-4 my-4 rounded-lg">
                                        <pre><code class="language-java">@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurer() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/api/**")
                    .allowedOrigins("https://yourdomain.com")
                    .allowedMethods("GET", "POST");
        }
    };
}</code></pre>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>

                <!-- Vulnerability 4 -->
                <div class="vulnerability-card bg-white rounded-xl shadow-md overflow-hidden transition duration-300">
                    <div class="dropdown cursor-pointer">
                        <div class="p-6 md:p-8">
                            <div class="flex justify-between items-start">
                                <div>
                                    <div class="flex items-center mb-2">
                                        <span class="bg-red-100 text-red-800 text-xs font-semibold mr-2 px-2.5 py-0.5 rounded">高危漏洞</span>
                                        <span class="solution-tag text-white text-xs font-semibold px-2.5 py-0.5 rounded ml-2">有解决方案</span>
                                    </div>
                                    <h3 class="text-2xl font-bold text-gray-800">4. 不安全的 Actuator 端点</h3>
                                </div>
                                <i class="fas fa-chevron-down text-gray-400 text-xl"></i>
                            </div>
                        </div>
                        <div class="dropdown-content">
                            <div class="px-6 md:px-8 pb-6 md:pb-8">
                                <div class="mb-6">
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3">漏洞描述</h4>
                                    <p class="text-gray-700">Spring Boot Actuator 提供了很多运维功能，但如果你没有加权限控制，黑客可以访问 <code class="bg-gray-100 px-1 py-0.5 rounded">/actuator/env</code> 直接看到你的配置信息！</p>
                                </div>
                                <div>
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3 flex items-center">
                                        <span class="w-6 h-6 bg-green-500 text-white rounded-full flex items-center justify-center mr-2">
                                            <i class="fas fa-check text-xs"></i>
                                        </span>
                                        解决方案
                                    </h4>
                                    <p class="text-gray-700 mb-4 font-semibold">禁用不必要的 Actuator 端点，并加上权限控制</p>
                                    <div class="code-block p-4 my-4 rounded-lg">
                                        <pre><code class="language-yaml">management:
  endpoints:
    web:
      exposure:
        include: ["health", "info"]</code></pre>
                                    </div>
                                    <p class="text-gray-700">或者使用 Spring Security 保护它们：</p>
                                    <div class="code-block p-4 my-4 rounded-lg">
                                        <pre><code class="language-java">http.authorizeRequests()
    .requestMatchers("/actuator/**").hasRole("ADMIN")
    .and().httpBasic();</code></pre>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>

                <!-- Vulnerability 5 -->
                <div class="vulnerability-card bg-white rounded-xl shadow-md overflow-hidden transition duration-300">
                    <div class="dropdown cursor-pointer">
                        <div class="p-6 md:p-8">
                            <div class="flex justify-between items-start">
                                <div>
                                    <div class="flex items-center mb-2">
                                        <span class="bg-red-100 text-red-800 text-xs font-semibold mr-2 px-2.5 py-0.5 rounded">高危漏洞</span>
                                        <span class="solution-tag text-white text-xs font-semibold px-2.5 py-0.5 rounded ml-2">有解决方案</span>
                                    </div>
                                    <h3 class="text-2xl font-bold text-gray-800">5. 服务器文件路径遍历漏洞</h3>
                                </div>
                                <i class="fas fa-chevron-down text-gray-400 text-xl"></i>
                            </div>
                        </div>
                        <div class="dropdown-content">
                            <div class="px-6 md:px-8 pb-6 md:pb-8">
                                <div class="mb-6">
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3">漏洞描述</h4>
                                    <p class="text-gray-700">如果你允许用户访问 <code class="bg-gray-100 px-1 py-0.5 rounded">/files?path=../../etc/passwd</code>，那么恭喜你，黑客可以直接读取你的服务器敏感文件！</p>
                                </div>
                                <div>
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3 flex items-center">
                                        <span class="w-6 h-6 bg-green-500 text-white rounded-full flex items-center justify-center mr-2">
                                            <i class="fas fa-check text-xs"></i>
                                        </span>
                                        解决方案
                                    </h4>
                                    <p class="text-gray-700 mb-4 font-semibold">使用白名单或者直接禁用路径访问</p>
                                    <div class="code-block p-4 my-4 rounded-lg">
                                        <pre><code class="language-java">if (userInput.contains("..") || userInput.startsWith("/")) {
    throw new SecurityException("非法路径访问！");
}</code></pre>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>

                <!-- Vulnerability 6 -->
                <div class="vulnerability-card bg-white rounded-xl shadow-md overflow-hidden transition duration-300">
                    <div class="dropdown cursor-pointer">
                        <div class="p-6 md:p-8">
                            <div class="flex justify-between items-start">
                                <div>
                                    <div class="flex items-center mb-2">
                                        <span class="bg-red-100 text-red-800 text-xs font-semibold mr-2 px-2.5 py-0.5 rounded">高危漏洞</span>
                                        <span class="solution-tag text-white text-xs font-semibold px-2.5 py-0.5 rounded ml-2">有解决方案</span>
                                    </div>
                                    <h3 class="text-2xl font-bold text-gray-800">6. JWT Token 处理不当，用户身份可伪造</h3>
                                </div>
                                <i class="fas fa-chevron-down text-gray-400 text-xl"></i>
                            </div>
                        </div>
                        <div class="dropdown-content">
                            <div class="px-6 md:px-8 pb-6 md:pb-8">
                                <div class="mb-6">
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3">漏洞描述</h4>
                                    <p class="text-gray-700">如果你的 JWT 密钥泄露，黑客就可以伪造任意用户的身份！</p>
                                </div>
                                <div>
                                    <h4 class="text-lg font-semibold text-gray-800 mb-3 flex items-center">
                                        <span class="w-6 h-6 bg-green-500 text-white rounded-full flex items-center justify-center mr-2">
                                            <i class="fas fa-check text-xs"></i>
                                        </span>
                                        解决方案
                                    </h4>
                                    <div class="space-y-4">
                                        <p class="text-gray-700"><strong>• 使用强随机密钥</strong>（至少 256 位）</p>
                                        <p class="text-gray-700"><strong>• 在 JWT Payload 里不要存放敏感信息</strong></p>
                                        <p class="text-gray-700"><strong>• 设置 Token 过期时间</strong></p>
                                        <div class="code-block p-4 my-4 rounded-lg">
                                            <pre><code class="language-yaml">jwt:
  secret: "your-secure-random-secret-key"
  expiration: 3600</code></pre>
                                        </div>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
        </div>
    </section>

    <!-- Best Practices Section -->
    <section id="solutions" class="py-16 px-4 md:px-0 bg-white">
        <div class="container mx-auto max-w-5xl">
            <div class="text-center mb-12">
                <h2 class="text-3xl font-bold mb-6 text-gray-800">如何让你的 Spring Boot 应用更安全？</h2>
                <div class="w-24 h-1 bg-purple-600 mx-auto mb-8"></div>
                <p class="text-xl text-gray-700 mb-8">这里是 Spring Boot 安全最佳实践清单：</p>
            </div>
            
            <div class="grid grid-cols-1 md:grid-cols-2 gap-6 mb-12">
                <div class="bg-gray-50 p-6 rounded-lg border-l-4 border-purple-600 hover:bg-gray-100 transition duration-300">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 mt-1 text-purple-600">
                            <i class="fas fa-lock text-xl"></i>
                        </div>
                        <div class="ml-4">
                            <h3 class="text-lg font-semibold text-gray-800 mb-2">永远不要拼接 SQL 语句，使用参数化查询！</h3>
                            <p class="text-gray-700">参数化查询可以有效防止SQL注入攻击，是数据库安全的第一道防线。</p>
                        </div>
                    </div>
                </div>
                <div class="bg-gray-50 p-6 rounded-lg border-l-4 border-purple-600 hover:bg-gray-100 transition duration-300">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 mt-1 text-purple-600">
                            <i class="fas fa-shield-alt text-xl"></i>
                        </div>
                        <div class="ml-4">
                            <h3 class="text-lg font-semibold text-gray-800 mb-2">开启 Spring Security，默认安全配置就能防住 80% 的攻击！</h3>
                            <p class="text-gray-700">Spring Security提供了强大的安全功能，包括认证、授权、防护等。</p>
                        </div>
                    </div>
                </div>
                <div class="bg-gray-50 p-6 rounded-lg border-l-4 border-purple-600 hover:bg-gray-100 transition duration-300">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 mt-1 text-purple-600">
                            <i class="fas fa-filter text-xl"></i>
                        </div>
                        <div class="ml-4">
                            <h3 class="text-lg font-semibold text-gray-800 mb-2">对所有用户输入进行 XSS 过滤，防止恶意脚本攻击！</h3>
                            <p class="text-gray-700">XSS攻击可以窃取用户数据或执行恶意操作，输入过滤是必须的安全措施。</p>
                        </div>
                    </div>
                </div>
                <div class="bg-gray-50 p-6 rounded-lg border-l-4 border-purple-600 hover:bg-gray-100 transition duration-300">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 mt-1 text-purple-600">
                            <i class="fas fa-globe text-xl"></i>
                        </div>
                        <div class="ml-4">
                            <h3 class="text-lg font-semibold text-gray-800 mb-2">配置 CORS 规则，不要让任意网站访问你的 API！</h3>
                            <p class="text-gray-700">正确的CORS配置可以防止跨域攻击，保护你的API不被恶意网站利用。</p>
                        </div>
                    </div>
                </div>
                <div class="bg-gray-50 p-6 rounded-lg border-l-4 border-purple-600 hover:bg-gray-100 transition duration-300">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 mt-1 text-purple-600">
                            <i class="fas fa-cog text-xl"></i>
                        </div>
                        <div class="ml-4">
                            <h3 class="text-lg font-semibold text-gray-800 mb-2">Actuator 端点一定要加权限控制！</h3>
                            <p class="text-gray-700">Actuator端点暴露了大量系统信息，必须严格限制访问权限。</p>
                        </div>
                    </div>
                </div>
                <div class="bg-gray-50 p-6 rounded-lg border-l-4 border-purple-600 hover:bg-gray-100 transition duration-300">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 mt-1 text-purple-600">
                            <i class="fas fa-file-alt text-xl"></i>
                        </div>
                        <div class="ml-4">
                            <h3 class="text-lg font-semibold text-gray-800 mb-2">不要直接暴露服务器文件路径！</h3>
                            <p class="text-gray-700">文件路径遍历攻击可以让黑客访问任意系统文件，必须严格验证用户输入。</p>
                        </div>
                    </div>
                </div>
                <div class="bg-gray-50 p-6 rounded-lg border-l-4 border-purple-600 hover:bg-gray-100 transition duration-300">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 mt-1 text-purple-600">
                            <i class="fas fa-key text-xl"></i>
                        </div>
                        <div class="ml-4">
                            <h3 class="text-lg font-semibold text-gray-800 mb-2">JWT Token 记得加密，并设置合理的过期时间！</h3>
                            <p class="text-gray-700">JWT安全依赖于密钥强度和过期策略，必须使用强密钥并设置适当过期时间。</p>
                        </div>
                    </div>
                </div>
                <div class="bg-gray-50 p-6 rounded-lg border-l-4 border-purple-600 hover:bg-gray-100 transition duration-300">
                    <div class="flex items-start">
                        <div class="flex-shrink-0 mt-1 text-purple-600">
                            <i class="fas fa-sync-alt text-xl"></i>
                        </div>
                        <div class="ml-4">
                            <h3 class="text-lg font-semibold text-gray-800 mb-2">定期升级 Spring Boot 版本，及时修复安全漏洞！</h3>
                            <p class="text-gray-700">保持框架和依赖库的最新版本可以修复已知漏洞，是安全维护的重要部分。</p>
                        </div>
                    </div>
                </div>
            </div>

            <div class="bg-blue-50 border-l-4 border-blue-400 p-6 rounded-r-lg">
                <div class="flex">
                    <div class="flex-shrink-0 text-blue-400">
                        <i class="fas fa-star text-xl"></i>
                    </div>
                    <div class="ml-4">
                        <h3 class="text-lg font-semibold text-blue-800">专业安全建议</h3>
                        <p class="mt-1 text-blue-700">
                            除了上述基础防护措施，企业级应用还应该考虑：
                            <strong>定期安全审计</strong>、
                            <strong>渗透测试</strong>、
                            <strong>安全日志监控</strong>和
                            <strong>应急响应计划</strong>。
                            安全是一个持续的过程，需要团队每个成员的重视和参与。
                        </p>
                    </div>
                </div>
            </div>
        </div>
    </section>

    <!-- Visualization Section -->
    <section class="py-16 px-4 md:px-0 bg-gray-50">
        <div class="container mx-auto max-w-5xl">
            <h2 class="text-3xl font-bold mb-12 text-center text-gray-800">Spring Boot 安全威胁关系图</h2>
            <div class="bg-white p-6 rounded-xl shadow-md">
                <div class="mermaid">
                    graph TD
                        A[Spring Boot 应用] --> B[SQL注入]
                        A --> C[XSS攻击]
                        A --> D[CSRF攻击]
                        A --> E[不安全的CORS]
                        A --> F[Actuator暴露]
                        A --> G[路径遍历]
                        A --> H[JWT漏洞]
                        
                        B --> I[数据库泄露]
                        C --> J[会话劫持]
                        D --> K[未授权操作]
                        E --> L[数据泄露]
                        F --> M[配置信息泄露]
                        G --> N[系统文件泄露]
                        H --> O[身份伪造]
                        
                        style A fill:#6e48aa,color:white,stroke:#6e48aa
                        style B fill:#ef4444,color:white
                        style C fill:#ef4444,color:white
                        style D fill:#ef4444,color:white
                        style E fill:#f59e0b,color:white
                        style F fill:#ef4444,color:white
                        style G fill:#ef4444,color:white
                        style H fill:#ef4444,color:white
                        
                        style I fill:#dc2626,color:white
                        style J fill:#dc2626,color:white
                        style K fill:#dc2626,color:white
                        style L fill:#b45309,color:white
                        style M fill:#dc2626,color:white
                        style N fill:#dc2626,color:white
                        style O fill:#dc2626,color:white
                </div>
            </div>
        </div>
    </section>

    <!-- Conclusion Section -->
    <section class="py-16 px-4 md:px-0 bg-white">
        <div class="container mx-auto max-w-5xl">
            <div class="text-center mb-12">
                <h2 class="text-3xl font-bold mb-6 text-gray-800">安全开发，从今天开始</h2>
                <div class="w-24 h-1 bg-purple-600 mx-auto mb-8"></div>
                <p class="text-xl text-gray-700 max-w-3xl mx-auto leading-relaxed">
                    <span class="first-letter">S</span>pring Boot 让开发变得简单，但安全从来不是默认选项。通过实施本文介绍的安全措施，你可以大大降低应用被攻击的风险。记住，安全不是一次性工作，而是需要持续关注的开发实践。
                </p>
            </div>
            
            <div class="bg-purple-50 p-8 rounded-xl text-center">
                <h3 class="text-2xl font-bold text-purple-800 mb-4">想要深入了解更多安全知识？</h3>
                <p class="text-purple-700 mb-6">订阅我们的安全通讯，获取最新的安全防护技巧和漏洞预警。</p>
                <div class="max-w-md mx-auto flex">
                    <input type="email" placeholder="输入您的邮箱地址" class="flex-grow px-4 py-3 rounded-l-lg border border-gray-300 focus:outline-none focus:ring-2 focus:ring-purple-500 focus:border-transparent">
                    <button class="bg-purple-600 hover:bg-purple-700 text-white px-6 py-3 rounded-r-lg font-semibold transition duration-300">订阅</button>
                </div>
            </div>
        </div>
    </section>

    <!-- Footer -->
    <footer class="bg-gray-900 text-gray-300 py-12 px-4">
        <div class="container mx-auto max-w-5xl">
            <div class="flex flex-col md:flex-row justify-between items-center">
                <div class="mb-6 md:mb-0">
                    <h3 class="text-xl font-bold text-white mb-2">技术小馆</h3>
                    <p class="text-gray-400">专业的开发者知识分享平台</p>
                </div>
                <div>
                    <a href="http://www.yuque.com/jtostring" class="text-gray-300 hover:text-white transition duration-200 flex items-center">
                        <i class="fas fa-link mr-2"></i> 技术小馆地址：http://www.yuque.com/jtostring
                    </a>
                </div>
            </div>
            <div class="border-t border-gray-800 mt-8 pt-8 text-center text-gray-500 text-sm">
                <p>© 2023 技术小馆. 保留所有权利.</p>
            </div>
        </div>
    </footer>

    <script>
        mermaid.initialize({
            startOnLoad: true,
            theme: 'default',
            flowchart: {
                useMaxWidth: true,
                htmlLabels: true,
                curve: 'basis'
            }
        });
        
        // 展开/收起漏洞详情
        document.querySelectorAll('.dropdown').forEach(item => {
            item.addEventListener('click', function() {
                const icon = this.querySelector('i');
                const content = this.querySelector('.dropdown-content');
                
                if (content.style.maxHeight) {
                    content.style.maxHeight = null;
                    icon.classList.remove('fa-chevron-up');
                    icon.classList.add('fa-chevron-down');
                } else {
                    content.style.maxHeight = content.scrollHeight + 'px';
                    icon.classList.remove('fa-chevron-down');
                    icon.classList.add('fa-chevron-up');
                }
            });
        });
    </script>
</body>
</html>
```